Manualshelf

User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-7000
11121314151617181920
Page 20 of 30 Rel. 3.5 Release Notes
Using Peer to Peer Tunnels Release Notes
Release 3.5 Enhanced Support for VPN Clients
! The Security Policy used by a Peer to Peer networking tunnel is identical to
that used by EZ-IPSec, the streamlined implementation of IPSec on the
ANG-1100. The encryption and integrity algorithms offered during Phase 2
security association construction, in order of preference, are:
Triple DES / SHA-1
Triple DES / MD5
ARCFOUR-128 / SHA-1
ARCFOUR-128 / MD5
Triple DES / NONE
DES / SHA-1
DES / MD5
DES / NONE
! Perfect Forward Secrecy is preferred (Modp768 - Group 1 is supported), but
not required, for all Phase 2 negotiations.
Configuring Peer to Peer Tunnels
To configure Peer to Peer mode between attached ANG-1100s, network
administrators need to configure each ANG-1100 with the following values:
! Up to three (reachable) IP addresses and Subnet Masks of the remote peers
that each ANG-1100 will connect to
! The public IP address (Gateway IP address) of the ANG-1100 at the opposite
end of the connection
! The pre-shared keys (Passwords) of the ANG-1100 at the opposite end of the
connection
For detailed instructions on how to configure Peer to Peer mode, refer to the
ANG-1100 Users Guide.
Caveats
The following features are not supported:
! ANG-1100s connected to ANG-3000/7000s must use Client mode or NEM,
not Peer to Peer mode. At this time, ANG-1100s connect to ANG-3000/7000s
using EZ-IPSec with Client mode or NEM enabled.
! Failover from one Peer to Peer tunnel to another is not supported.
! Remote DNS and WINS name server IP addresses are not passed from one
VPN peer to another when using Peer to Peer tunnels. DNS and WINS must
be provided by the ISP, via another Client mode tunnel, by statically
configuring them on the PC, or setting up an external DHCP server.
! Dynamic routing information is not exchanged between peers connected by
Peer to Peer tunnels. All routing is defined statically in the tunnel
configuration.
! Routing information is not exchanged between Peer to Peer tunnels and
Client mode tunnels. Each ANG-1100 which requires central site access via an
ANG-3000/7000 must have its own Client mode tunnel. It may not access the
central site via another ANG-1100's Peer to Peer tunnel.